If local address starts with 127.0.0.1 the process is listening to localhost only, there is no need to protect this service using fail2ban. If the address is listed as 0.0.0.0 the service is listening on all interface – so also on the public IP address. This is a potential candidate to be monitored. Some services might also be configured to listen to one public IP address which is stated then in the local address column. This is a candidate to be protected also.